I guessed something like that, and I was going to look for a means to
detect what mechs support it, because the idassert code currently
assumes that when configured to use SASL method authz will be done
natively by SASL.

I suggest you just hardcode it for DIGEST-MD5 (and skip if
not available). Maybe support PLAIN as well (but you'll
have to configure both client & server to allow it without
TLS.

Err, I specifically requested this feature, specifically for
SASL/GSSAPI. So hard coding this for DIGEST-MD5 again makes back-ldap
unusable for me.

I'm only referring to mechanism selection in this particular
test script. Dealing with GSSAPI in the test suite would be
painful.